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ABSTRACT 



In an IC card incorporating residual multiplier hardware for 
implementing a high-speed algorithm for a residual multi- 
plication arithmetic, a method and a device capable of 
executing public key encryption processing such as an 
elliptic curve encryption processing at a high speed. 
Residual arithmetic succeeding to generation of a random 
number and residual arithmetic in a signature generating 
processing can be executed by using a residual multiplier. 
Further, in order to use effectively the residual multiplier for 
arithmetic operation on an elliptic curve, the point on the 
elliptic curve is transformed from a two-dimensional affine 
coordinate system to a three-dimensional coordinate system. 
Additionally, multiplicative inverse arithmetic for realizing 
reverse transformation from the three-dimensional coordi- 
nate system to the two-dimensional afiBne coordinate system 
as well as for determining a signature s can be executed only 
with the residual multiplication arithmetic. By making use 
of the residual multiplier in this manner, the processing 
speed can be increased. Computation complexity can be 
reduced by storing previously those parameters which are 
used frequently and constant multiplies of a base point of the 
elliptic curve in the form of tables, which also contributes to 
increasing of processing speed. 

6 Claims, 7 Drawing Sheets 
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IC CARD EQUIPPED WITH ELLIPTICAL Addition between two points Pj and P 2 on the elliptic 

CURVE ENCRYPTION PROCESSING curve, i.e., P 3 -P,+P 2 (where P,-(x f , y,)), can be defined as 

FACILITY follows: 

Case where P^P? 

BACKGROUND OF THE INVENTION s ta toc^Varithmetics « involved wiU hereinafter be 

The present invention relates generally to an IC card referred to as the elliptic addition arithmetic, 

(integrated circuit card) capable of processing encryption The elliptic addition arithmetic includes addition per- 

data or information. More particularly, the invention is formed zero times, subtraction performed six times, multi- 

concerned with a method capable of executing at a high plication: performed twice and division performed once, as 

speed elliptic curve encryption processing in an encryption 10 follows: 
processing in which hardware designed for executing a 

high-speed algorithm for a residual multiplication arithmetic k»(v 2 -y i)/(*2-*i). 
(multiplication on the set of integers) is adopted and a device 

such as an IC card in which the above-mentioned method is x 3 -X 2 -x 1 -* 2 , 

adopted. 15 

For having better understanding of the present invention, 

technical background thereof will first be described in some j> 3 -*(*i-JO-yi 
detail. As an encryption scheme for a public key crypto- 

system, there is known an RSA encryption scheme which Case where P a -P 2 

was invented by Rivest, Shamir and Adleman in 1978. The 20 j n tnis case ^ tne arithmetic will hereinafter be referred to 

basic principle underlying the RSA encryption will be as t h e elliptic by-two -multiplication arithmetic, 

reviewed below. Th e elliptic by-two-multiplication arithmetic includes 

Basic Principle of RSA Encryption addition performed once, subtraction performed three times, 

Representing a secret key by (d, n), a public key by (e, n), multiplication performed three times and division performed 

a plaintext by M and a co-processor by c, respectively, then 25 once> as follows; 
the encryption and the decryption can be represented, 

respectively, by the calculation formulae mentioned below. ^[3xi2+a)/2y lf x3=\ 2 -2xi 

Encryption: CsM* (mod n), 

and 30 

decryption: MxC* (mod n). 



and 



In the above expressions, n is given by p*q where p and At this juncture, it should be mentioned that all the 

q represent large prime numbers, respectively which satisfy arithmetic operations mentioned above are performed on a 

the conditions that X(n)-LCM {(p-1), (q-1)} (where LCM 35 residue system to modulus p. 

represents a least common multiple), GCD {e, H n )} =1 The security of the elliptic curve encryption described 

(where GCD represents a greatest common divisor), and that above is based on the fact that when a point derived through 

d=e -1 mod X(n). multiplication of a point Aon the elliptic curve by x (i.e., the 

The security of the RSA encryption is ensured by the fact point obtained by adding "A" x times) is represented by 

that it is very difficult to factorizen into prime factors. In this 40 B(=xA), extreme difficulty will be encountered in finding 

conjunction, it is recommended to employ large integers on the value of x on the basis of the values of the points A and 

the order of 1024 bits as the parameters such as e, d, n, M b if known. This feature is known as the elliptic curve 

and so forth. In that case, modular multiplication on the set discrete logarithm problem. In order to ensure the security 

of integers (hereinafter referred to also as the residual comparable to that realized by the 1024-bit RSA encryption 

multiplication arithmetic) has to be conducted 1534.5 times 45 described previously, it is recommended that each of the 

on an average for a single processing in accordance with the parameters such as p, a, x t -, y„ etc. be an integer on the order 

encryption formula C=M* (mod n), when such a binary 0 f bits. 

operation method is resorted to, which is described in detail ^ ar i mm etic operation for determining the point (k*P) 

in D. E. Knuth: "SEMINUMERICAL ALGORITHMS corresponding to multiplication of a point P by k, which 

ARITHMETIC, The Art of Computer Programming, Vol. 50 constitutes one of the basic arithmetic operations for the 

2, Addison-Wesley, 1969. elliptic curve encryption, can be realized by computation in 

Furthermore, as another encryption scheme belonging to accordance with the addition on the elliptic curve (elliptic 

the public key crypto-system, there may be mentioned an curve add jti on ) mentioned above. In this conjunction, it is 

elliptic curve encryption processing proposed by Koblitz noted that the modu lar division on the set of integers 

and Miller independently in 1985. The basic principle under- 5S (hereinafter also referred to as the residual division 

lying this elliptic curve encryption will be reviewed below. arithmetic) has to be conducted in order to determine X. The 

Principle of the Elliptic Curve Encryption residual division arithmetic (i.e., modular division on the set 

Representing the order of a finite field by a prime number of integers) can generally be coped with by resorting to an 

p while representing by a and b the parameters which algorithm such as an extended Euclidean algorithm or the 

determine the elliptic curve, a set which includes a set of 60 Uke, which requires, however, lots of processing times. Such 

points capable of satisfying the conditions given by the bemg tne circumstances, there is widely adopted the method 

undermentioned expression and which is added with a or scheme for rea lizing the arithmetics on the elliptic curve 

virtual point at infinity is referred to as the elliptic curve Ep. by transforming a point on a two-dimensional affine coor- 

For the convenience of illustration, the elliptic curve Ep of dinate system mt0 a po int on a three-dimensional coordinate 

concern is presumed to be capable of being represented on 65 S y Stem without resorting to the residual divisionarithmetic 

the affine coordinate system. processing. For more particulars of this scheme, reference 

Ep: yW+tw+fr (mod p) may be made to D. V. Chudnovsky and G. V Chudnovsky: 
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"SEQUENCES OF NUMBERS GENERATED BY ADD1- At this juncture, it should however be noted that the 
TION IN FORMAL GROUPS AND NEW PRIMAUTY residual division arithmetic (i.e., division on the set of 
AND FACTORIZATION TESTS", Advances in Applied integers) has to be executed once upon reverse transforma- 
Matbematics, Vol. 7, pp. 385-434, 1986. By way of tion from the three-dimensional coordinate system to the 
example, when the addition arithmetics on the elliptic curve 5 two-dimensional coordinate system . 
Ep in the two-dimensional affine coordinate system is trans- Assuming, by way of example, that a 160-bit elliptic 
formed into addition arithmetics in the three-dimensional curve encryption is transformed to that on the three- 
projective coordinate system so that the conditions given by dimensional projective or mapping coordinate system, and 
x=X/Z 2 (mod p) and y=Y/Z 3 (mod p) can be satisfied, the that the k-P arithmetic is realized by using the binary 
addition arithmetics are defined as follows: 10 operation scheme mentioned hereinbefore, the residual mul- 

The elliptic addition arithmetic includes addition per- tiplication arithmetic will have to be performed as many 
formed twice, subtraction performed five times, multiphca- times as 2862 times on an average, 
tion performed sixteen times and division performed zero As will now be appreciated from the foregoing 
times, as follows: description, in the public key encryption scheme such as the 

15 RSA encryption method and the elliptic curve encryption 
XjtIP-TyV 2 , method, lots of residual multiplication arithmetic process- 

Y vr mw* ings (i.e., modular multiplications on the set of integers) are 

2Y 3 =vr- , required as the basic arithmetic operation. Such being the 

anc j circumstances, there have been developed and proposed 

20 methods or schemes for speeding up the residual multipli- 
z^-z^w cation arithmetic by resorting to a high-speed algorithm for 

the residual multiplication arithmetic, to thereby speed up 
where t nc encryption processing on the whole. 

2 2 In particular, in the RSA encryption scheme, the arith- 

1 2 ~ ^ ' 25 metic operations therefor are in large part the residual 

R=Y x zJ-Y£ x y > multiplication arithmetic. Thus, there has been realized such 

hardware designed for executing the high-speed algorithm 
T^XiZ-f+x^i* fo r the residual multiplication arithmetic. Further, the 1C 

card capable of executing the RSA encryption processing at 
30 a high speed has been realized by employing such hardware 
anc j so as to meet the stipulation of the IC Card Standards 

IS07816. 

v-T\v 2 -?x 3 . SUMMARY OF THE INVENTION 

The elliptic by-two -multiplication arithmetic includes 3S By contrast, in the case of the elliptic curve encryption 
addition performed once, subtraction performed three times, scheme, residual four-rules arithmetics are required as the 
multiplication performed ten times and division performed basic arithmetic operations. Among the residual four-rules 
zero times, as follows: arithmetics, the residual division arithmetic requires lots of 

processing time, which presents a serious problem to the 
Xj-Af 2 -^, ^ approach for speeding up the elliptic curve encryption 

y ~M(S-X )-T t processing. Parenthetically, a method or scheme for decreas- 

331 ing the number of times the residual division arithmetic has 

and to be executed in the elliptic curve encryption processing 

and a scheme for speeding up the residual division arith- 
z^-2Y x Z % metic have already been proposed in A Shimbo "APPLI- 

CATION OF MONTGOMERY ARITHMETICS TO 
wherc ELLIPTIC CURVE ENCRYPTION", SCIS, 1997 (The 

M-3X 2 +aZ 4 1997 Symposium on Cryptography and Information 

1 1 ' Security). However, it is noted that attempt for applying the 

S-ax^ 2 , 50 methods disclosed in the above literature to the devices such 

as the IC card stipulated in the Standards IS07816 will 
and unavoidably limited in view of the present state of the 

4 semiconductor technology. Thus, lot of time will be taken 

1 for the multiplicative inverse arithmetic operation in the 

At this juncture, it should be mentioned that all the 55 residual division arithmetic, making it difficult to enhance 
arithmetic operations mentioned above are performed on a mc processing speed. 

residue system to modulus p. Accordingly,, in the light of the state of the art described 

As another example of the coordinate transformation above, it is an object of the present invention to provide 
methods, there may be mentioned a coordinate transforma- a-method capable of executing at a high speed the elliptic 
tion to a three-dimensional homogeneous coordinate system 60 curve encryption processing in an encryption processingiin 
such that the conditions given by the following expressions which hardware designed for executing a high-speed algo- 
can be satisfied. nthm for the residual multiplication arithmetic is adopted. 

Another object of the invention is to provide a device such 
xbXIZ (mod p), as an iq card in which the above-mentioned method is 

and 65 ado P ted * 

Yet another object of the present invention is to provide a 

ysY/z (mod p) method capable of executing at a high speed the digital 
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signature processing in a device such as, e.g. an IC card, in positive integer a which is relatively prime to a prime 

which hardware designed for executing a high-speed algo- number p: 
rithm for the residual multiplication arithmetic (i.e., modular 

multiplication on the set of integers) is adopted. <&~ lml ( mod ® 

Still another object of the invention is to provide a device s According to this theorem, the multiplicative inverse 

such as an IC card in which the method mentioned just arithmetic "a" 1 mod p" can be expressed as follows: 
above is adopted. 

It is a further object of the present invention to provide a a ea ^ mod ^ 

method capable of speeding up the multiplicative inverse 10 According to an aspect of the present invention, the values 

arithmetic in the residual division arithmetic (Le., modular of the order p of a field and the order n of a base pomt 

division on the set of integers) in the elliptic curve encryp- are ^presented by prime numbers of large values, 

tion processing. respectively, so that the condition for fulfilling the Fermat's 

It is also an object of the present invention to provide a theorem mentioned above, i.e., the condition that the prime 

device in which the method mentioned just above is adopted. 15 number P and the positive integers are relatively prime, can 

Inviewoftheaboveandotherobjects which will become ^ be sati f fie f K According!) ^the value or quantity a"' 

apparent as the description proceeds, there are provided mod » 15 e f ^ al t0 a ^ m f 

rr t , r c . . M( . „ I* M by way of example, that the residual multiplication anth- 

accordine to aspects of the present invention undermen- 7 . I * ■. . ^- . ^ 

, * r f c • 4 (U . metic is performed by resorting to the binary operation 

tioned scheme or arrangements for carrying out the inven- , ^ , e „• ,• • ■ -i AQ 

t - on 20 method, the value of multiplicative inverse, i.e., a mod p, 

can be determined by performing the residual multiplication 

At first, according to an aspect of the present invention arithmetic by a number of times given by ((|p-2|-l)x3/2), 

which is directed to a device such as, for example, an IC where |P~2| represents bit number of (P-2). By adopting the 

card, which includes hardware for executing a high-speed method mentioned above, it is also possible to reduce the 

algorithm for the residual multiplication arithmetics 2 s program size or scale because of no necessity of preparing 

(hereinafter the hardware will be referred to as the residual the algorithm such as Euclidean algorithm or the like as a 

multiplier), there is provided an elliptic curve encryption program(s). 

processing method in which arithmetic operations involved [ n aD arrangement according to another aspect of the 

in the elliptic curve encryption processing are realized present invention, those parameters which are used very 

largely by the residual multiplication arithmetics (i.e., 30 frequently in the arithmetic operations and which can be 

modular multiplication on the set of integers) so that the calculated beforehand with a personal computer or the like 

residual multiplier can be utilized effectively. arc previously determined to be stored as one of system 

More specifically, the residual arithmetics performed in information in a rewritable nonvolatile memory incorpo- 
succession to generation of random numbers required for the rated in the IC card. Thus, computational complexity of the 
elliptic curve encryption processing and the residual arith- ^5 arithmetic processing can be reduced. In this conjunction, as 
metics involved in the signature generation processinglare the data to be stored previously in the rewritable nonvolatile 
so structurized as to be capable of being executed by using memory as the system information, there may be mentioned 
the residual multiplier. Furthermore, in order to make it order p of a finite field, values "aR mod p" resulting from 
possible to utilize effectively the residual multiplier for the transformation of elliptic curve parameter a, point (X, Y, Z) 
elliptic curve arithmetics, the residual division arithmetic 40 whicn can be obtained by transforming two-dimensional 
(i.e., modular division on the set of integers) involved in, the aflfine coordinates (x, y) of a point P (base point) on the 
elliptic curve addition arithmetic is transferred into the elli P tic curve into coordinates in a three-dimensional pro- 
residual multiplication arithmetic by transforming points on jective coordinate system, which coordinates are then trans- 
an elliptic curve in theltwo-dimensional affine coordinate ^rm&i to be appropriate for a residual multiplication arith- 
system into those in a three-dimensional coordinate system, 45 metic unit, order n of the base point, secret key d, values "2R 
wherein the residual multiplication arithmetic is executed by mod p", "3R mod p", "4R mod p", "8R mod p" and "2" R 
making use of the residual multiplier. mod P" resulting from transformation of constants, 

respectively, which are employed in the elliptic curve 

According to another aspect of the present invention arithmetics, and values "R mod p", "R mod n", "R 2 mod p" 

which is directed to the scheme for speeding up the multi- SQ afld ((r2 mod n „ employed in the residual mult iplication 

plicative inverse anthmetic, the multiplicative inverse anth- arithmetiCt In the above description, R represents a positive 

metics required not only in the coordinate system transfer- mteger which satisfies the condition thal R _ 2 | p |, where |p| 

mation from the three-dimensional coordinate system to the represents the bit number of the or der p of the finite field, 

two-dimensional affine coordinate system but also in gen- According to yet another aspect of the present invention, 

erating the signature data are realized by resorting to the 5S mere fe provided an IC card in which points corresponding 

residual multiplication anthmetic (i.e., modular multiphca- tQ int mu iti p les of the base point are stored in a 

tion on the set of integers). The multiplicative inverse rewritable nonV olatile memory incorporated in the IC card 

arithmetic for the residue system is ordinarily realized by m the form of tables with a view to reducing the computaUon 

making use of algorithm such as extended Euclidean algo- overhead by decreasing the number of processings involved 

rithm. However, in the case where modulus to the residue or 6Q m ^ mjye additioQ arit hmetics. In this conjunction, 

remainder is prime number, the multiplicative inverse anth- ft shouM be mentioned that the computational overhead can 

metic can be realized by using only the residual multiphca- be reduccd ^ lhe number of ^ table increascSt However, 

tion anthmetic without need for relying on the algorithm the amQunt of data ^ data size) t0 be stored in the 

such as the extended Euclidean algonthm. This will be rewritable nonvolatile memory will then increase corre- 

elucidated below. 65 S p 0n dingly. Accordingly, it is also taught by the invention 

According to the Fermat's theorem, the statement given that points obtained by exponentiation of the base points by 

by the undermentioned expression can apply valid to a four are stored in the memory in the form of tables. In that 
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case, the number of the points stored as the tables, i.e., the 
number of tables, is given by |p|/2, where |p| represents the 
bit number of the order p of the finite field. The tabled values 
are transformed into coordinates on a three-dimensional 
projective coordinate system and then transformed to points S 
given by P,- (X,-, Y„ Z ( ) suited for arithmetics executed by the 
residual multiplier. In the expression mentioned just above, 
i represents an integer, satisfying the condition that 0^i<|p|/ 
2. 

In the case where the large memory capacity is available, 10 
the points resulting from exponentiation of the base points 
by two may be stored as tables. In that case, the arithmetic 
operations on the elliptic curve may be structurized only 
with the elliptic addition arithmetics, whereby the number of 
processings as required can be reduced. 15 

In general, when the values of points resulting from 2" 
(where n represents a natural number) of the base points are 
stored as tables, the number of the tables is given by |p|/n, 
where |p| represents the bit number of order p of the finite 
field. In practical applications, the number of the tables may 20 
be determined by taking into account the computation 
performance of a CPU and the capacity of a memory 
destined for storing the tables. 

Other subjects, features and advantages of the present 
invention will become apparent from the following detailed 25 
description of the embodiments taken in conjunction with 
the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, reference 30 
is made to the drawings, in which: 

FIG. 1 is a schematic block diagram showing generally an 
arrangement of a device to which the present invention can 
find application; 35 

FIG. 2 is a flow chart for illustrating a signature genera- 
tion procedure based on the elliptic curve encryption method 
according to an embodiment of the invention; 

FIG. 3 is a flow chart for illustrating in detail a sequence 
of processings in a step 203 shown in FIG. 2; 40 

FIG. 4 is a flow chart for illustrating in detail an elliptic 
addition arithmetic in the processing procedure shown in 
FIG. 3; 

FIG. 5 is a flow chart for illustrating in detail elliptic 
by-two -multiplication arithmetic in the processing proce- 45 
dure shown in FIG. 3; 

FIG. 6 is a flow chart for illustrating in detail a sequence 
of processings in a step 204 shown in FIG. 2; and 

FIG. 7 is a flow chart for illustrating in detail a sequence 50 
of processings in a step 205 shown in FIG. 2. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Now, the present invention will be described in detail in 55 
conjunction with what is presently considered as preferred 
or typical embodiment thereof by reference to the drawings. 
In the following description, like reference characters des- 
ignate like or corresponding parts throughout the several 
views. 60 

FIG. 1 is a schematic block diagram showing generally an 
arrangement of a digital signature system which is incorpo- 
rated in an I C card by making use of a microcomputer such 
as, for example, a microcomputer of H8/3 Ill-model com- 
mercially available from Hitachi, Ltd. and in which addition 65 
arithmetic on the elliptic curve in a finite field is employed. 
Referring to FIG. 1, the IC card denoted generally by 
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reference numeral 101 includes a CPU (Central Processing 
Unit) 102, a ROM (Read-Only Memory) 103 destined for 
storing operation instructions involved in carrying out the 
present invention, an EEPROM (Electrically Erasable; and 
Programmable Read-Only Memory) 104 serving as a rewrit- 
able nonvolatile memory for storing system information and 
data such as the finite field orders, elliptic curve parameters 
and the like, an I/O (input/output) port 105 for controlling 
input/output to/from the IC card 101, a RAM (Random 
Access Memory) 106, a residual multiplier 107 capable of 
executing or performing the residual multiplication arith- 
metic (modular multiplication on a set of integers), a power 
supply terminal (Vcc) 110, a ground terminal (Vss) 111, a 
clock terminal (CLK) 112, a reset terminal (RES) 113 and an 
I/O (input/output); terminal (I/O) 114. Hie individual ter- 
minals of the IC card 101 are electrically connected to 
relevant components incorporated in the IC card 101. The 
above-mentioned residual multiplier 107 which is designed 
for performing residual multiplication arithmetic may be 
constituted by a co -processor of the Hitachi Microcomputer 
Model H8/3111 mentioned above. Of course, other equiva- 
lent co-processor can be employed to this end. 

The residual multiplier 107 mentioned above incorporates 
a CPU/residual-multiplier-shared RAM 109 which can be 
used in common by both the residual multiplier 107 and the 
CPU 102, wherein the RAM 109 includes at least three data 
registers CD A, CDB and CDN. Arithmetic operations per- 
formed by the residual multiplier 107 are executed with 
input data being stored in the data registers CDA, CDB and 
CDN, respectively. In that case, the result of the arithmetic 
operation carried out by the residual multiplier 107 is stored 
in the data register CDA by rewriting the value thereof. In 
this conjunction, it should however be noted that the values 
of the data registers CDB and CDN remain unchanged after 
the arithmetic operation. Further, it should be mentioned that 
the residual multiplier 107 is so designed as to be capable of 
executing or performing any given one of the three types of 
arithmetic operations mentioned below in response to a 
command designating the operation type. 

Namely, 

CDA*-(CDACDB) R' 1 mod (CDN) (hereinafter referred to as the 
residual arithmetic 1), 

CDA— (CDA 2 ) R- 1 mod (CDN) (hereinafter referred to as the 
residual arithmetic 2), 

and 

CDA*-(CDA) R~ x mod (CDN) (hereinafter referred to as the 
residual arithmetic 3). 

The individual elements or components incorporated in 
the IC card 101 such as mentioned previously are intercon- 
nected through the medium of a bus 108. 

Furthermore, representing by a prime number p the order 
of an finite field, the elliptic curve Ep employed in carrying 
but the present invention can be represented by a set 
corresponding to a set of points which can satisfy the 
undermentioned expression for the parameters (a, b) which 
determine the elliptic curve and added with a virtual point at 
infinity. For the convenience's sake, the elliptic curve Ep of 
concern is presumed to be represented on the afEne coordi- 
nate system. 

Ep: y 2 ax 3 +ax+b (mod p) 

Furthermore, the base point is represented by P(x, y), the 
order of which is represented by a prime number n. 
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(1) Storage of System Information 

Stored in the EEPROM 104 are order p of a finite field, 
value "aR mod p" resulting from transformation of elliptic 
curve parameter a, point P/X,-, Y it Z t ) (where i represents an 
integer satisfying the condition that 0^i<|p|/2 with |p| rep- 5 
resenting bit number of a finite field order p) which can be 
obtained by transforming two-dimensional affine coordi- 
nates (x, y) of a point P (base point) on the elliptic curve into 
coordinates in a three-dimensional projective coordinate 
system, which coordinates are then transformed to be proper 10 
to the residual multiplication arithmetic unit, order n of the 
base point, secret key d, values "2R mod p", "3R mod p", 
"4R mod p", "8R mod p" and "2 -:l R mod p" resulting from 
transformation of constants, respectively, which are 
employed in the elliptic curve arithmetics, and values "R 15 
mod p", "R mod n", "R 2 mod p" and "R 2 mod n" used in the 
residual multiplication arithmetic. In the above statement, R 
represents a positive integer which satisfies the conditions 
that R>p and that R>n, e.g. a smallest positive integer which 
has a bit length equal to a greater one of either |p|+l or |n|+l. 20 
Storage of the system information is performed before the 
encryption processings described below are executed. 
Parenthetically, in the above statements, R assumes a 
numerical value given as a constant and represents a param- 
eter determined in dependence on the arithmetic perfor- 25 
mance of, by way of example, the co-processor which 
constitutes or serves as a multiple length arithmetic unit. 

(2) Generation of Digital Signature 

FIGS. 2 to 7 are flow charts for illustrating a processing 
procedure for generation of a digital signature which is 30 
performed by the elliptic curve encryption processing unit 
according to the instant embodiment of the present inven- 
tion. At first, the signature generation procedure will be 
described generally by reference to FIG. 2. 

In the flow charts referenced in the following description, 35 
it is presumed that the CPU 102 executes the program stored 
in the ROM 103 while allowing the residual multiplier 107 
to execute the relevant processing by using the data stored 
in the RAM 106 and the EEPROM 104, as occasion 
requires. 40 

Step 201: Processing procedure is started. 

Step 202: A random number k is generated, whereon the 
random number k as generated is stored in the data register 
CDA incorporated in the residual multiplier 107 while the 
value "R mod n" stored in the EEPROM 104 is set or placed 45 
in the data register CDB equally incorporated in the residual 
multiplier 107, for thereby allowing the residual multiplier 
107 to execute the residual arithmetic 1 defined previously. 
The result of execution as stored currently in the data 
register CDA is set as the updated or renewed random 50 
number k. 

Step 203: The random number k generated in the step 202, 
the system information p, value "aR mod p" and the point 
coordinates data P(X, Y, Z) stored in the EEPROM 104 are 
inputted to execute the calculation k*P, i.e., multiplication of 55 
the base point P on the elliptic curve by the random number 
k. This calculation can be achieved by performing elliptical 
addition arithmetic on the finite field in the three- 
dimensional projective coordinate system, i.e., scalar mul- 
tiple arithmetic by means of the CPU 102. In that case, the 60 
residual multiplication arithmetic involved in the elliptical 
addition arithmetic can be carried out by using the residual 
multiplier 107 which is constituted by the co-processor, as 
mentioned previously. 

Step 204: The point coordinate data (X, Y, Z), i.e., the 65 
result of execution in the step 203, represents a point in the 
three-dimensional projective coordinate system, as men- 
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tioned above. Accordingly, the point coordinate data (X, Y, 
Z) has to be transformed into a point coordinate (x, y) on the 
two-dimensional affine coordinate system. The arithmetic 
operation for this coordinate transformation can be repre- 
sented by x=X/Z 2 (mod p). However, the arithmetic opera- 
tion given by x=XZ*~ 3 (mod p) can be carried out to this 
end, because the formula x=X-Z^ 3 (mod p) can apply valid 
in view of the Fermat's theorem. Thus, in place of the 
residual division arithmetic,the residual multiplication arith- 
metic (i.e., xhXZ^ 3 (mod p)) is carried out with the aid of 
the residual multiplier 107. In this manner, by using the 
formula xaXZ^ 3 (mod p) instead of the formula x=X/Z 2 
(mod p), the coordinate transformation can be realized only 
with the residual multiplication arithmetic without resorting 
to the residual division arithmetic. 

Step 205: By using the random number k generated in the 
step 202, the hash value H(M) for the message M inputted 
by way of the I/O port 105 from the I/O terminal (I/O) 114, 
the secret key d stored in the EEPROM 104, the order n of 
the base point and the value or quantity "x mod p" calculated 
in the step 204, the arithmetic operations,mentioned below 
are carried out. 

For generation of signature r, r=x (mod n), and 

for generation of signature s, s=k _1 (H(M)+d r) (mod n). 

The arithmetic operation for generating the signature s in 
the above-mentioned arithmetic operations requires the mul- 
tiplicative inverse arithmetic. This multiplicative inverse 
arithmetic can be realized by replacing the residual division 
arithmetic given by "k -1 mod n" by the residual multipli- 
cation arithmetic "k"~ 2 mod n", as in the case of the 
processing in the step 204. As readily appreciated, the 
residual multiplication arithmetic "k"~ 2 mod n" can be 
realized with the residual multiplier 107. The result of this 
arithmetic operation represents a signature (r, s) which is 
outputted as the digital signature for the message M by way 
of the I/O port 105 from the I/O terminal (I/O) 114. 

Step 206: The processing comes to an end. 

Next, description will be turned to a processing procedure 
for generation of the digital signature according to the 
instant embodiment of the invention by reference to FIG. 3 
to FIG, 7. 

FIG. 3 is a flow chart for illustrating in detail the pro- 
cessing in the step 203 shown in FIG. 2. In the following, 
contents of the processings in the individual steps shown in 
FIG. 3 will be described. 

Step 301: Processing procedure is started. 

Step 302: A bit string k-(k ( ., k^, . . . , k u ko) 2 of the 
random number k generated in the step 202 is determined by 
combining bits of binary notation on a two-by-two bit basis 
and the bit string is scanned, starting from the least signifi- 
cant bit side. When k^'ll", the more significant bit string 
kf +1 than k ( - is added with "01". In this manner, the bit string 
is rewritten up to the most significant bit. Thus, when the 
original bit tring is represented, for example, by "10", "11", 
"10", "11", then the bit string after the transformation will 
be "01", "11", "00", "11", "11". This transformation is 
performed up to the most significant bit. The resultant bit 
string is represented by 

where k,*(00). 

The value of 1 as obtained is set to the variable i 
(hereinafter referred to as the loop counter) as the number of 
times (1+1) the residual multiplication arithmetic is to be 
repeated. 

Step 303: On the basis of a point P^X,, Y,-, Z,) transformed 
for the residual multiplication arithmetic after the three - 
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dimensional coordinate transformation of the base point, i.e., 
a table value, on the elliptic curve which had been stored in 
the EEPROM 104, as described previously, initial value is 
stored in the RAM 106 to rewrite the random number k,- for 
the point P,. 5 

Step 304: The loop counter value i is decremented by one. 

Step 305: Decision is made as to the loop counter value 
i. If the loop counter value i is smaller than 0 (zero), then the 
processing proceeds to a step 309 and, if otherwise, to a step 
306. io 

Step 306: If the value of the random number k,- is "00", the 
step 304 is resumed. If the value of the random number k ( 
is "01", then the elliptic addition arithmetic for adding the 
table value P f is performed, whereupon the step 304 is 
resumed. When the value of the random number k,- is "10", 15 
then the elliptic by-two-multiplication arithmetic is per- 
formed by multiplying the table value P, by two and sub- 
sequently the elliptic addition arithmetic is performed for 
adding the result of the elliptic by-two -multiplication 
arithmetic, whereon the step 304 is resumed. On the other 20 
hand, when the value of the random number k ( is "11", the 
additive inverse for the arithmetic operation to modulus p is 
determined for the Y-coordinate value of the table value P, 
to be placed renewal as the Y-coordinate of the table value 
P„ and the elliptic addition arithmetic is performed for 25 
adding the relevant point, whereupon the step 304 is 
resumed. 

Step 307; The processing comes to an end. 

FIG. 4 is a flow chart for illustrating in detail the elliptic 
addition arithmetic in the processing procedure described 30 
hereinbefore by reference to FIG. 3. In the following, 
processing contents in the individual steps shown in FIG. 4, 
will be described. 

Step 401: Processing procedure is started. In this 
conjunction, it should be mentioned that since p is stored in 35 
the register CDN of the residual multiplier 107 in the step 
303, residual multiplication arithmetic is performed to 
modulus p (i.e., modulo p). 

Step 402: The residual arithmetic 2 defined hereinbefore 
is executed by using the residual multiplier 107. 40 

Step 403: The residual arithmetic 1 defined hereinbefore 
is executed by using the residual multiplier 107. 

Step 404: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 405: The residual arithmetic 1 is executed by using 45 
the residual multiplier 107. 

Step 406: The CPU 102 performs the residual subtraction 
arithmetic (i.e., modular subtraction on the set of integers) to 
thereby derive an interim value W. 

Step 407: The CPU 102 performs the residual addition 50 
arithmetic to thereby derive an interim value T. 

Step 408: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 409: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 55 

Step 410: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 411: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 412: The CPU 102 performs the residual subtraction 60 
arithmetic (i.e., modular subtraction on the set of integers) to 
thereby derive an interim value R. 

Step 413: The CPU 102 performs the residual addition 
arithmetic (i.e., modular addition on the set of integers) to 
thereby derive an interim value M. 65 

Step 414: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 
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Step 415: The residual arithmetic 1 is executed by using 
the residual multiplier 107, whereby the Z-coordinate of a 
point determined after the elliptic addition arithmetic can be 
obtained. 

Step 416: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 417: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 418: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 419: The CPU 102 performs the residual subtraction 
arithmetic, whereby the X-coordinate of a point determined 
after the elliptic addition arithmetic can be obtained. 

Step 420: The CPU 102 performs the residual subtraction 
arithmetic to derive an interim value V. 

Step 421: The residual arithmetic 1 is executed by using 
the: residual multiplier 107. 

Step 422: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 423: The residual arithmetic 1 is executed by using 
the: residual multiplier 107. 

Step 424: The CPU 102 performs the residual subtraction 
arithmetic to thereby derive an interim value Y. 

Step 425: The interim value Y and value "2 -1 R mod p" 
stored in the EEPROM 104 are inputted to the residual 
multiplier 107 to realize the residual arithmetic 1, whereby 
the Y-coordinate of the point determined after the elliptic 
addition arithmetic can be obtained. 

Step 426: The processing comes to an end. 

FIG. 5 illustrates in detail in a flow chart the elliptic 
by- two-multiplication arithmetic in the processing proce- 
dure described previously by reference to FIG. 3. In the 
following, contents of the processings in the individual steps 
shown in FIG. 5 will be described. 

Step 501: The processing procedure is started. In this 
conjunction, it should be mentioned that because p is placed 
in the register CDN of the residual multiplier 107 in the step 
303, residual multiplication arithmetic to modulus p (or 
modulo p) is performed. 

Step 502: The residual arithmetic 2 defined hereinbefore 
is executed by using the residual multiplier 107. 

Step 503: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 504: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 505: The residual arithmetic 1 also defined herein- 
before is executed by using the residual multiplier 107. 

Step 506: Value "3R mod p" stored in the EEPROM 104 
and value "X a 2 R mod p" determined in the step 502 are 
inputted to the e residual multiplier 107 for thereby execut- 
ing the residual arithmetic 1. 

Step 507: The CPU 102 performs the residual addition 
arithmetic to thereby derive the interim value M. 

Step 508: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 509: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 510: Value "4R mod p" stored in the EEPROM 104 
and value "XjY^R mod p" determined in the step 509 are 
inputted to the residual multiplier 107 for thereby executing 
the residual arithmetic 1, whereby an interim value S is 
determined. 

Step 511: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 512: Value "8R mod p" stored in the EEPROM 104 
and value "Y/R mod p" determined in the step 511 are 
inputted to the residual multiplier 107 to thereby perform the 
residual arithmetic 1, whereby the interim value T can be 
obtained. 
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Step 513: The residual arithmetic 1 is executed by using 
the residual multiplier 107. 

Step 514: Value "2R mod p" stored in the EEPROM 104 
and value "YjZ 2 R mod p" determined in the step 513 are 
inputted to the residual multiplier 107 to thereby execute the 
residual arithmetic 1, whereby the Z-coordinate of the point 
determined after the elliptic by-two-multiplication arith- 
metic can be obtained. 

Step 515: The residual arithmetic 2 is executed by using 
the residual multiplier 107. 

Step 516: Value "2R mod p" stored in the EEPROM 104 
and the interim value S are inputted to the residual multiplier 
107 to thereby execute the residual arithmetic 1. 

Step 517: The CPU 102 performs the residual subtraction 
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afline coordinate system obtained after the execution of the 
step 203 into an operation range of the residual multiplier. 

Step 611: The residual arithmetic 3 is executed by using 
the residual multiplier 107. As a result of this, there is stored 
in the data register CDA the value "XZ~ 2 mod p", i.e., the 
value of the X-coordinate given by "x=XZ~ 2 (mod p)" of the 
two-dimensional affine coordinate system obtained after 
execution of the step 203. In the steps 604 to 608 described 
above, 1/Z 2 is transformed into the multiplicative inverse 
Z" 2 for determining 1/Z 2 in the operation for determining 
X/Z 2 , whereupon the value of X/Z 2 is determined by the 
residual multiplier 107. 

Step 612: The processing now comes to an end. 

As is apparent from the foregoing, in the scheme or 



arithmetic to thereby derive the X-coordinate of the point 15 system taught by the present invention, the multiple length 

determined after the elliptic by-two-multiplication arith- residual multiplication arithmetic function of the residual 

metic. multiplier 107 is made use of. Thus, there arises no necessity 

Step 518: The residual arithmetic 1 is executed by using of performing the multiple length residual multiplication 

the residual multiplier 107. arithmetic by using the CPU 102. Consequently, the number 

Step 519: The CPU 102 performs the residual subtraction 20 of the arithmetic processing steps can be decreased, which 



arithmetic to thereby derive the Y-coordinate of the point 
determined after the elliptic by-two-multiplication arith- 
metic. 

Step 520: The processing comes to an end. 

FIG. 6 is a flow chart for illustrating in detail the pro- 25 
cessing in the step 204 shown in FIG. 2. In the following, 
contents of the processings in the individual steps shown in 
FIG. 6 will be described by following the sequence. 

Step 601: The processing procedure is started. 

Step 602: On the basis of the finite field order p stored in 30 
the EEPROM 104, computation for determining (p-3) is 
performed. In that case, in the binary notation of (p-3) given 
by 

(P-3)=G/, ■ • • > ji» Jo)** wherc Ji-1> the t value of 1 is 
stored in the loop counter i as the information indicating the 35 
number of times the residual multiplication arithmetic is to 
be repeated. 

Step 603: The Z-coordinate of the point determined by the 
arithmetic operation in the step 203 is stored in the data 
registers CDA and CDB incorporated in the residual multi- 
plier 107. On the other hand, the value of p is stored 
continuously in this data register CDN of the residual 
multiplier 107, because the value of p stored in the data 
register CDN in the step 303 is held unchanged. 

Step 604: The loop counter value i is decremented by one. 

Step 605: Decision is made as to the loop counter value 
i. If the loop counter value i is smaller than 0 (zero), then the 
processing proceeds to a step 609 and, if otherwise, to a step 
606. 

Step 606: The residual arithmetic 2 defined hereinbefore 
is executed by using the residual multiplier 107. 

Step 607: Decision is made as to the value j f - for the loop 
counter value i of (p-3). Unless the value j ( - is equal to 1 
(one), the step 604 is resumed. If otherwise, the processing 
proceeds to a step 608. 

Step 608: The residual arithmetic 1 is executed by using 
the residual multiplier 107, whereon the step 604 is resumed. 

Step 609: The X-coordinate of the point determined by the 
arithmetic operation in the step 203 is stored in the data 



in turn means that the processing speed can be increased. 

FIG. 7 is a flow chart for illustrating in detail the pro- 
cessing in the step 205 shown in FIG. 2. In the following, 
contents of the processings in the individual steps shown in 
FIG. 7 will be described. 

Step 701: The processing procedure is started. 
Step 702: The value "x mod p" of the X-coordinate of k-P 
calculated in the step 204 is stored in the data register CDA 
of the residual multiplier 107. 

Step 703: The value "R mod n" stored in the EEPROM 
104 is placed in the data register CDB of the residual 
multiplier 107. Parenthetically, R represents a value inherent 
to the co-processor and a represents order of the base point 
P on the elliptic curve. 

Step 704: The order n of the base point stored in the 
EEPROM 104 is placed in the data register CDN of the 
residual multiplier 107, 

Step 705: The residual arithmetic 1 defined hereinbefore 
is executed by means of the residual multiplier (co- 
40 processor) 107. This result is held in the data register CDA 
where the value (( x mod n" is stored which represents the 
signature given by "r=x (mod n)". In succession, the pro- 
cessing proceeds to steps 706 to 713 for determining the 
signature s. 

Step 706: The value "R 2 mod n" stored in the EEPROM 
104 is placed in the data register CDB of the residual 
multiplier 107. 

Step 707: The residual arithmetic 1 defined hereinbefore 
is executed by means of the residual multiplier 107. As a 
result of this, the value "rR mod n" is determined to be 
stored in the data register CDA. 

Step 708: The secret key d stored in the EEPROM 104 is 
placed in the data register CDB of the residual multiplier 107 
in response to activation of the IC card by a signer. 

Step 709: The residual arithmetic 1 is executed by means 
of the residual multiplier 107 in response to the activation of 
the IC card by the signer. As a result of this, the value "d-r 
mod n" is determined to be stored in the data register CDA. 
Step 710: A sum of the hash value H(M) for the message 



45 



50 



55 



register CDB incorporated in the residual multiplier 107. At 60 M and the value "d r mod n" determined in the aforemen 

tioned step 709 is determined, whereon the value *'(H(M)+ 
d r) mod n" is stored in the RAM 106. 

Step 711: The multiplicative inverse "k -1 R mod n" is 
calculated through the residual multiplication arithmetic 
65 given by "k n-2 R mod n" with the residual multiplier 107. 
Concerning the calculation method to this end, reference 
should be made to the processing routine extending from the 



this time point, the value "Z P_3 R mod p" is stored in the data 
register CDA. 

Step 610: The residual arithmetic 1 is executed by means 
of the residual multiplier 107. As a result of this, there is 
stored in the data register CDA the value "XZ^ 3 R mod p", 
i.e., the value given by "xR=XZ" 2 R (mod p) M resulting from 
transformation of the X-coordinate of the two-dimensional 
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steps 601 to 609 inclusive. The above calculation will result 
in a value "k _1 R mod n" which is stored in the data register 
CDA incorporated in the residual multiplier 107. 

Step 712: The value "(H(M)+d r) mod n" stored in the 
RAM 106 in the step 710 is placed in the data register CDB 
of the residual multiplier 107. 

Step 713: The residual arithmetic 1 defined hereinbefore 
is executed by means of the residual multiplier 107. As a 
result of this, the value "k _1 (H(M)+d*r) mod n" can be 
determined to be stored in the data register CDA, whereon 
this value is outputted as the signature SHk -1 -(H(M)+d r) 
(mod n). 

Step 714: The processing comes to an end. 
With a view, to confirming the effects which can be 
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residual multiplier 107 shown in FIG. 1 is employed may be 
implemented as a single integrated unit or a combination of 
components in the form of software such as medium adapted 
to be read by the processor or in the form of hardware. The 
multiplicative inverse arithmetic module can ensure wide 
variety of applications regardless of general-purpose appli- 
cation or destined purpose application. 

As will now be appreciated from the foregoing 
description, according to the present invention, the digital 
signature generating processing based on the elliptic curve 
can be realized efficiently by making use of the residual 
multiplication arithmetic effectively. Thus the present inven- 
tion has provided a method and device which allows the 
digital signature generating processing to be executed at a 



achieved with the present invention, a program conforming is high speed in a device equipped with a residual multiplier, 

to the processing procedure described above in conjunction Many modifications and variations of the present inven- 

with the illustrative embodiment of the invention was pre- tion are possible in the light of the above techniques. It is 

pared and the execution time was measured with the opera- therefore to be understood that within the scope of the 

tion clock of the CPU being set to 5 MHz. appended claims, the invention may be practiced otherwise 

More specifically, k-P operation on the elliptic curve of 20 than as specifically described. 
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160-bit key length was performed in the three-dimensional 
protective coordinate system by using 80 reference tables 
each indicating a value of a point corresponding to by-4- 
exponentiation of a base point. Furthermore, the multipli- 
cative inverse was realized on the basis of combination of 
the Fermat's theorem and the binary operation method. For 
execution, Hitachi microcomputer model No. H8/3111 emu- 
lator for an IC card incorporating a multiple length remain- 
der multiplication arithmetic co -processor was employed 
with assembler being used as the program language. The 
result of experiment shows that the signature generating 
time (i.e., time taken for execution of the steps 201 to 206 
inclusive) through the 160-bit key length elliptic curve 
encryption method is 0.308 sec/signature. 

As is apparent from the foregoing description, the residual 35 
multiplication arithmetic and the residual division arithmetic 
are performed by using the residual multiplier with the 
residual addition arithmetic and the residual subtraction 
arithmetic being executed by the CPU while referencing the 
values determined previously and stored in a memory. Thus, 40 
according to the present invention, the elliptic curve encryp- 
tion processing can be executed at a very high speed. 

Although the foregoing description has been made with 
emphasis being put on the digital signature generating 
processing, the present invention is never restricted to the 45 
digital signature generating processing. It goes without 
saying that the teachings of the present invention can equally 
find application to signature verifying processing and cipher 
generating processing with enhanced processing speed. 

Furthermore, the present invention is never restricted to 50 
the IC card. The teachings of the present invention can 
equally be applied to a device incorporating the CPU of a 
limited processing capability and a multiplier. Accordingly, 
the phrase "IC card" used herein should be so interpreted as 
to cover such device as mentioned just above. By way of 55 
example, the teachings of the present invention can be 
applied to a microcontroller designed for carrying out 
authentication processing, IEEE 1394 LSI for encryption 
processing. Such applications are mentioned in NIKKEI 
ELECTRONICS, No. 732, Dec. 14, 1998, pp. 27 to 28. 

Although it has been described that the EEPROM is 
employed as the rewritable nonvolatile memory 104, the 
present invention is never restricted thereto. The flash 
memory known in the art can equally employed as the 
rewritable nonvolatile memory. Besides, the ROM 103 may 
be implemented by using a flash memory. Additionally, the 
multiplicative inverse arithmetic module in which the 
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What is claimed is: 

1. An IC card, comprising: 

message receiving means for receiving a message from an 
input/output terminal by way of an input/output port; 

public key encryption processing means for performing 
elliptic curve public key encryption processing on said 
message; and 

output means for outputting result of the processing 
executed by said public key encryption processing 
means from the input/output terminal via the input/ 
output port, 

wherein said public key encryption processing means 
comprises: 

multiple length arithmetic means for calculating 
through multiple length residual multiplication arith- 
metic values "ABR" 1 mod N", "A 2 !** 1 mod N", and 
"AR" 1 mod N" representing, respectively, numerical 
values to undergo computation which make appear- 
ance in intermediate arithmetic processing for posi- 
tive integers A, B, N and R. wherein A and B 
represent, respectively, variables which are given by 
input variables and/or interim variables, N represents 
a variable given as an input variable, and R repre- 
sents a numerical value given as a constant; and 

computation means for performing multiplication and 
multiplicative inverse arithmetic on a finite group by 
using said multiple length arithmetic means, 

wherein said computation means includes multiplica- 
tive inverse arithmetic means for performing arith- 
metic operation represented by "k -1 mod n" for a 
positive integer k which is relatively prime n by 
resorting to residual multiplication arithmetic repre- 
sented by "k ( "" 2) mod n" with the aid of said multiple 
length arithmetic means. 

2. An IC card according to claim 1, 

wherein said multiple length arithmetic means is consti- 
tuted by a co-processor, and 

wherein said variable R represents a constant determined 
in dependence on performance of said co-processor. 

3. An IC card according to claim 1, 

wherein said public key encryption processing is an 
elliptic curve encryption processing, further compris- 
ing: 

a rewritable nonvolatile memory for storing previously at 
least one of numerical values given by "2R mod p", 
"3R mod p", "4R mod p", "8R mod p", "2 _1 R mod p", 
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"aR mod p", "R mod p", "R 2 mod p", "R mod n", and 
"R 2 mod n", respectively, where R represents a positive 
integer which satisfies a condition that R>p, R>n for 
order (p) of a finite field when an elliptic curve (Ep) on 
the finite field is given by "y 2 =x 3 +ax+b (mod p)'*, 
wherein said rewritable nonvolatile memory can be ref- 
erenced by said multiple length arithmetic means. 

4. An 1C card according to claim 1, further comprising: 
a rewritable nonvolatile memory for storing previously 

values of points corresponding to positive integer mul- 
tiples of a base point (P) on said elliptic curve, 
wherein said values of the points corresponding to the 
positive integer multiplies of the base point (P) can be 
referenced by said multiple length arithmetic means. 

5. An encryption processing method for an IC card having 
a co-processor, comprising the steps of: 

receiving a message from an input/output terminal by way 

of an input/output port; 
performing elliptic curve public key encryption process- 
ing on said message; and 
outputting result of the processing executed in said elliptic 
curve public key encryption processing step from the 
input/output terminal via the input/output port, 
wherein said elliptic curve public key encryption process- 
ing step comprises the steps of: 
calculating through multiple length residual multipli- 
cation arithmetic by using said co-processor values 
"ABR~ l mod N", "A 2 R _1 mod N", and "AR -1 mod 
N" representing, respectively, numerical values to 
undergo computation which make appearance in 
intermediate arithmetic processing for positive inte- 
gers A, B, N and R, wherein A and B represent, 
respectively, variables which are given as input vari- 
ables and/or interim variables, N represents a vari- 
able given as an input variable, and R represents a 
numerical value given as a constant; and 
executing multiplication and inverse arithmetic on a 

finite group by using said co-processor, 
wherein said computation step includes a substep of 
executing a multiplicative inverse arithmetic for per- 
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forming arithmetic operation represented by "k" 1 
mod n" for a positive integer k which is relatively 
prime to a prime number n by resorting to residual 
multiplication arithmetic represented by "k ( "~ 2) mod 
5 n" with the aid of said co-processor. 

6. A program stored in a recording medium for performing 
encryption processing for an IC card having a co-processor, 
comprising the instruction steps of: 
J0 receiving a message from an input/output terminal by way 
of an input/output port; 
performing elliptic curve public key encryption process- 
ing on said message; and 
outputting result of the processing executed in said elliptic 
35 curve public key encryption processing step from the 
input/output terminal via the input/output port, 
wherein said elliptic curve public key encryption process- 
ing step comprises the substeps of: 
20 calculating through multiple length residual multipli- 
cation arithmetic by using said co-processor values 
"ABR" 1 mod N", "A 2 R" J mod N", and "AR" 1 mod 
N" representing, respectively, numerical values to 
undergo computation which make appearance in 
25 intermediate arithmetic processing for positive inte- 

gers A, B, N and R, wherein A and B represent, 
respectively, variables which are given as input vari- 
ables and/or interim variables, N represents a vari- 
able given as an input variable, and R represents a 
30 numerical value given as a constant; and 

executing multiplication and inverse arithmetic on a 

finite group by using said co -processor, 
wherein said computation step includes a substep of 
executing a multiplicative inverse arithmetic for per- 
35 forming arithmetic operation represented by "k" 1 

mod n" for a positive integer k which is relatively 
prime to a prime number n by resorting to residual 
multiplication arithmetic represented by "k ( "~ 2) Mod 
n" with the aid of said co -processor. 

40 

* * * + + 
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